Compliagent CEO Nick Merkin was quoted in AHC Media's online publication on a recent potential HIPAA breach by an ESPN reporter. See Nick's expert advice in the article below.

EXECUTIVE SUMMARY

A hospital is conducting an internal investigation after a patient’s medical records were obtained by a television network and published. The patient was a professional football player who had injured his hand.

The disclosure appears to be a clear violation of the Health Insurance Portability and Accountability Act (HIPAA).

The reporter who obtained the record is not subject to HIPAA restrictions.

The patient cannot sue the hospital under HIPAA but could seek civil damages.

When a professional football player’s medical record was published by the sports network ESPN, even those who are outside the healthcare community scratched their heads and wondered how that could happen. The hospital administration is determined to find out.

New York Giants pass rusher Jason Pierre-Paul sought treatment at Jackson Memorial Hospital in Miami after a fireworks accident over the Fourth of July weekend. On the following Wednesday, ESPN reporter Adam Schefter posted a photo of part of Pierre-Paul’s medical record on Twitter, with the note “ESPN obtained medical charts that show Giants DE Jason Pierre-Paul had right index finger amputated today.”

The news was significant in the sports world because of how the injury could affect Pierre-Paul’s performance and also because some critics were questioning why a professional athlete would jeopardize his career by playing with fireworks.

That news was almost overshadowed, however, by immediate questions about how Schefter obtained the medical record and whether it was proper to publish it. Hospital administrators learned of the disclosure quickly. Within 90 minutes of Schefter’s tweet, the Jackson Health System tweeted two statements:

“Federal privacy laws prevent hospitals from disclosing information about patients or their medical records without the patient’s consent.”“Jackson Health System takes patient privacy seriously and aggressively investigates any alleged violation.”

The next day, Carlos A. Migoya, Jackson Health System president and CEO, issued this statement:

“If these allegations prove to be true, I know the entire Jackson family will share my anguish. Our nurses, doctors, and other healthcare professionals are passionate about our patients’ health and well-being, and that includes the right to privacy. If we confirm Jackson employees or physicians violated a patient’s legal right to privacy, they will be held accountable, up to and including possible termination. We do not tolerate violations of this kind.

“In order to protect our patients’ rights and private information, we enforce strict rules for those who handle patient information and continually educate all employees on privacy regulations. Those rules are constantly evolving as technology changes, but always remain focused on putting our patients first.”

A spokeswoman at the Health and Human Services Office of Civil Rights, which investigates violations of the Health Insurance Portability and Accountability Act (HIPAA), issued a statement saying the office was aware of the incident but could not comment on current or potential investigations.

HOSPITAL AT FAULT

Any responsibility for a HIPAA violation falls on the hospital and perhaps individual employees, says CEO Nick Merkin of Compliagent, a compliance consulting firm in Los Angeles.

“It’s important to clarify that, by definition, neither ESPN nor Adam Schefter, the reporter involved in the case, violated HIPAA. HIPAA regulations can only be violated by a healthcare provider, healthcare clearinghouse, or a health plan — in this case, Jackson Memorial Hospital and its related healthcare professionals,” Merkin says. “There may arguably be issues of journalistic ethics or integrity to debate, but as a legal matter, the press is not covered by HIPAA.”

Additionally, Merkin says, there is no private right of action under HIPAA — only government-imposed fines and penalties. Thus, Jason Pierre-Paul cannot sue any party as part of a HIPAA claim, although there might be significant state law claims that he can bring, along with common law allegations such as invasion of privacy and negligence.

The statements released by the hospital suggest it is handling the allegations of improper disclosure properly by immediately conducting a risk assessment to determine whether an actual HIPAA breach occurred, Merkin says. The results of the internal investigation will dictate the hospital’s next steps, including any breach notification requirements.

The most important question for Jackson Memorial Hospital and other healthcare providers is where the breakdown occurred organizationally, Merkin says.

“In other words, what compliance infrastructure was in place or was lacking that allowed for this improper disclosure to happen? Where was the faulty execution? Was it a result of deficient policies and procedures, inadequate training, ineffective monitoring and auditing, or poor compliance management and oversight?” he says. “And most important, what can be done to prevent these kind of breaches from reoccurring?